The following versions are affected:
4.02
4.03
4.04
4.05 This issue was addressed in 4.05.
If you are running an earlier version, there are two options: Upgrade to a recent version or apply the patch provided below. Apple has also provided a workaround. To prevent your system from crashing when processing a malicious PDF file, you can add the following snippet to your system's Keychain. This prevents the PDF viewer app from loading any JBIG2 images:
/usr/libexec/pdf/viewer --no-jbig2
References: http://www.kb.cert.org/vuls/id/800239
What to do if you are still affected by CVE-2022-38170?
If you are still affected by CVE-2022-38170, there are two steps you can take to prevent the crash.
1. Download and install the latest version of Adobe Acrobat Reader DC (version 15.010).
2. To prevent your system from crashing when processing a malicious PDF file, add the following snippet to your system's Keychain:
/usr/libexec/pdf/viewer --no-jbig2
Applying the patch
The following patch can be applied to a 4.02, 4.03, or 4.04 system to address the vulnerability:
The following is a proof-of-concept PDF file that exploits the vulnerability on OS X 10.10.3 or later systems:
/Users/username/Desktop/CVE-2022-38171\Exploitable.pdf
Timeline
Published on: 08/22/2022 19:15:00 UTC
Last modified on: 09/02/2022 21:15:00 UTC
References
- https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
- https://github.com/jeffssh/CVE-2021-30860
- https://dl.xpdfreader.com/old/xpdf-4.04.tar.gz
- https://www.cve.org/CVERecord?id=CVE-2021-30860
- http://www.xpdfreader.com/security-fixes.html
- https://dl.xpdfreader.com/xpdf-4.04.tar.gz
- https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6
- http://www.openwall.com/lists/oss-security/2022/09/02/11
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38171